Legal claims defining the scope of protection, as filed with the USPTO.
1. An electronic device, comprising: processing circuitry; and a memory coupled to the processing circuitry, the memory includes a first logic that, when executed by the processing circuitry, organizes (i) a first plurality of indicators of compromise (IOCs) received from a first source, where the first plurality of IOCs being associated with a known origin of a malicious attack, and (ii) one or more IOCs received from a second source, the second source being different from the first source, and a second logic that, when executed by the processing circuitry, determines that the one or more IOCs received from the second source originated from the known origin undetected by the electronic device based on (i) determining that the one or more IOCs have at least a degree of correlation with the first plurality of IOCs that satisfies a first threshold, and (ii) determining that a threat level associated with the one or more IOCs satisfies a second threshold to signify a degree of confidence that the one or more IOCs are associated with the known origin of the first plurality of IOCs.
2. The electronic device of claim 1 , wherein the known origin of the malicious attack corresponds to a type of message including an electronic mail message detected by the first source as including malware.
3. The electronic device of claim 1 , wherein the known origin of the malicious attack corresponds to a type of message including a text message detected by the first source as including malware.
4. The electronic device of claim 1 , wherein the first logic determining that a triggering event has occurred in response to an increase in a number of occurrences or percentage of occurrences of a particular type of behavior being one of the first plurality of IOCs, the triggering event to cause the second logic to determines that the one or more IOCs received from the second source originated from the known origin undetected by the electronic device.
5. The electronic device of claim 1 , wherein the first logic determining that a triggering event has occurred, the triggering event signifies a likelihood that the one or more IOCs from the second source is caused by an undetected malicious electronic message present at the second source.
6. The electronic device of claim 1 , wherein the degree of correlation between the one or more IOCs and the first plurality of IOCs is varied based on an operating state of the electronic device.
7. The electronic device of claim 1 , wherein the degree of correlation between the one or more IOCs and the first plurality of IOCs is set to a first level when the electronic device is in a first operating state, the first level requires the one or more IOCs to be in a same chronological order and present within the first plurality of IOCs.
8. The electronic device of claim 1 , wherein at least the first source corresponds to a cloud service.
9. A computerized method, comprising: receiving data associated with behaviors detected by a first source, the data associated with the behaviors from the first source being obtained from an analysis of one or more portions of a message by the first source; and performing a predictive analysis on the received data associated with the behaviors detected by the first source by at least (i) evaluating whether the data associated with the behaviors has at least a prescribed degree of correlation with data associated with a first plurality of behaviors received from at least a second source, where the first plurality of behaviors being associated with a known malware detected by the second source, and (ii) determining a threat level signifying at least a degree of confidence that the data associated with the behaviors received from the first source are caused by an undetected malicious electronic message at the first source.
10. The method of claim 9 , wherein the predictive analysis determines whether the behaviors detected by the first source have been caused by the known malware detected by the second source.
11. The method of claim 9 , wherein the undetected malicious electronic message corresponds to an electronic mail message.
12. The method of claim 9 , wherein prior to performing the predictive analysis, the method further comprising: determining whether a triggering event has occurred and performing the predictive analysis in response to an occurrence of the triggering event.
13. The method of claim 12 , wherein the triggering event is determined to occur by at least detecting a shift in number or percentage of a type of behavior, where the shift in number exceeds a prescribed threshold.
14. The method of claim 13 , wherein the shift in number corresponds to an increase in number or percentage of indicators of compromise, each of the indicators of compromise corresponding to a malicious behavior.
15. The method of claim 9 , wherein the evaluating whether the data associated with the behaviors has at least a prescribed degree of correlation with the data associated with the first plurality of behaviors comprises determining the degree of correlation between known indicators of compromise to indicators of compromise corresponding to the data associated with the behaviors detected by the first source.
16. The method of claim 9 , wherein the determining of the threat level is based on a determination of a similarity in type or order of the received data associated with the behaviors detected by the first source and the data associated with the first plurality of behaviors received from the second source.
17. The method of claim 9 , wherein the determining of the threat level is based on a determination of a prescribed change in number of indicators of compromise being at least a portion of the data associated with the behaviors detected by the first source.
18. The method of claim 9 , wherein the degree of correlation between the data associated with the behaviors and the data associated with the first plurality of behaviors is varied based on an operating state of an electronic device performing the predictive analysis.
19. The method of claim 18 , wherein the degree of correlation between the data associated with the behaviors and the data associated with the first plurality of behaviors is set to a first level when an electronic device performing the predictive analysis is in a first operating state, the first level requires the data associated with the behaviors to be in a same chronological order and present within the data associated with the first plurality of behaviors.
20. A non-transitory storage medium including software that, when executed, performs a plurality of operations comprising: receiving data associated with behaviors detected by a first source, the data associated with the behaviors from the first source being obtained from an analysis of one or more portions of a message by the first source; and performing a predictive analysis on the received data associated with the behaviors detected by the first source by at least (i) evaluating whether the data associated with the behaviors has at least a prescribed degree of correlation with data associated with a first plurality of behaviors received from at least a second source, where the first plurality of behaviors being associated with a known malware detected by the second source, and (ii) determining a threat level signifying at least a degree of confidence that the data associated with the behaviors received from the first source are caused by an undetected malicious electronic message at the first source.
21. The non-transitory storage medium of claim 20 , wherein the software performs the predictive analysis by at least determining whether the behaviors detected by the first source have been caused by the known malware detected by the second source.
22. The non-transitory storage medium of claim 20 , wherein the undetected malicious electronic message corresponds to an electronic mail message.
23. The non-transitory storage medium of claim 20 , wherein prior to performing the predictive analysis, the software further performs an operation that comprises determining whether a triggering event has occurred and performing the predictive analysis in response to an occurrence of the triggering event.
24. The non-transitory storage medium of claim 23 , wherein the triggering event is determined to occur by at least detecting a shift in number or percentage of a type of behavior, where the shift in number exceeds a prescribed threshold.
25. The non-transitory storage medium of claim 24 , wherein the shift in number corresponds to an increase in number or percentage of indicators of compromise each corresponding to a malicious behavior.
26. The non-transitory storage medium of claim 20 , wherein the software evaluates whether the data associated with the behaviors has at least a prescribed degree of correlation with the data associated with the first plurality of behaviors by at least determining the degree of correlation between known indicators of compromise to indicators of compromise corresponding to the data associated with the behaviors detected by the first source.
27. The non-transitory storage medium of claim 20 , wherein the determining of the threat level is based on a determination of a similarity in type or order of the received data associated with the behaviors detected by the first source and the data associated with the first plurality of behaviors received from the second source.
28. The non-transitory storage medium of claim 20 , wherein the determining of the threat level is based on a determination of a prescribed change in number of indicators of compromise being at least a portion of the data associated with the behaviors detected by the first source.
29. The non-transitory storage medium of claim 20 , wherein the degree of correlation between the data associated with the behaviors and the data associated with the first plurality of behaviors is varied based on an operating state of an electronic device performing the predictive analysis.
30. The non-transitory storage medium of claim 29 , wherein the degree of correlation between the data associated with the behaviors and the data associated with the first plurality of behaviors is set to a first level when an electronic device performing the predictive analysis is in a first operating state, the first level requires the data associated with the behaviors to be in a same chronological order and present within the data associated with the first plurality of behaviors.
31. The electronic device of claim 1 is deployed as part of a cloud service.
32. The electronic device of claim 1 is an endpoint device.
33. The method of claim 9 , wherein the performing of the predictive analysis is conducted as part of a cloud service.
34. The non-transitory stroage medium of claim 20 , wherein the plurality of operations are conducted as part of a cloud service.
Unknown
May 25, 2021
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.